Internet service providers (ISPs) said that web browsing and app usage history should not be considered “sensitive information,” according to a recent filing with the Federal Communications Commission (FCC).
The CTIA, an advocacy group representing ISPs including AT&T, Verizon Wireless, T-Mobile USA, and Sprint, filed a document with the FCC on March 16, stating that that group’s consumer privacy rules passed during the Obama administration should be rolled back. The privacy rules require ISPs to obtain consent from consumers to use and share sensitive information, including web browsing history, app usage history, and the content of communications, as well as geolocation, financial information, health information, children’s information, and social security numbers.
The Obama era opt-in rules are scheduled to take effect on December 4, 2017. If ISPs win their petition to the FCC to eliminate the rules, the ISPs could potentially sell web and app usage history to advertisers.
The CTIA based its argument that web browsing and app usage history should not be considered sensitive information on differences between the FCC’s position and that of the Federal Trade Commission (FTC).
“[T]he FTC Privacy Report defined as ‘sensitive’ just five discrete types of information (Social Security numbers and financial, health, children’s, and precise geolocation information), and the FTC articulated specific privacy risks associated with the misuse of such data that warranted classifying them as ‘sensitive,'” according to the CTIA filing. “It did not find – either in its Privacy Report or in its comments in this proceeding – that web browsing history as a category posed such risks.”
The filing goes on to say that in order to diverge from the FTC’s framework and define web browsing data as “sensitive,” the FCC “cherry-picked evidence in an attempt to show that ISPs have unique and comprehensive access to consumers’ online information,” the CTIA wrote. “As the full record shows, however, this is simply not true.”
The CTIA also argued that “ISPs should be able to infer consent to use customer information for firstparty marketing,” and said that preventing this restricts competition and harms customers by not informing them of available new products and services.
The privacy rules implemented by Obama are opposed by FCC chairman Ajit Pai, as well as Republicans in Congress, so it’s unlikely that they will survive in their current state. However, privacy experts say the FCC rules are necessary to protect consumers.
“Web browsing and app usage data—a small subset of what is available to internet access providers like ISPs—is highly sensitive information; your web browsing history is just as sensitive as your library book reading records, but much more so as it applies to more and more of the information you consume on a daily basis, to the extent more of what we do happens through a fewer number of screens,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology.
Consumers have few choices when it comes to internet access, Hall added. “We believe the FCC broadband privacy rules struck the right balance in terms of recognizing ISPs have an important custodial duty to protect the data and interactions they make possible,” he said.
John Pironti, president of IP Architects, said he can understand the ISP argument that not all data can be considered sensitive. “I believe it is important to understand that all data is not created equal,” Pironti said. “If all data is classified as sensitive, then the marking itself and the controls that are expected and required will lose value and impact.”
However, it is also important to give consumers a choice on how their data is collected and used, Pironti said. “I support the collection and analysis of data by ISPs for quality of service purposes to ensure the availability and reliability of their services,” he added. “I do not agree that this data should be able to be used beyond this purpose without the explicit permission of the individual who the data is collected from, though.”
In terms of selling data for marketing and sales activities, Pironti said he believes the user should be required to explicitly allow this activity, or at a minimum be allowed to opt out of of this data collection.
“The ISPs could consider offering some incentive model to those individuals who allow their web browsing activities and application usage to be captured and analyzed (such as discounted service) in return for the use of their data and potential loss of privacy,” Pironti said. “This will allow the user to make a risk and reward-based decision for themselves instead of having no control or insight into the collection and use of this data.”
The 3 big takeaways for TechRepublic readers
1. Internet service providers recently filed a petition with the Federal Communications Commission stating that web browsing and app usage history should not be considered “sensitive information.”
2. FCC rules set to go into effect in December 2017 would require ISPs to get customer permission to use and share sensitive information. If they are rolled back, ISPs could sell that information to advertisers.
3. Privacy experts argue that the rules protect consumers and should remain in place, with some caveats.